Two-factor authentication for local Incydr users

Overview

Two-factor authentication for local users increases the security of your Incydr environment by requiring users who authenticate directly with Incydr to provide additional verification before accessing the Incydr console and Incydr API.

For organizations integrated with an external authentication provider, this typically only applies to a very limited number of administrator accounts reserved for troubleshooting your authentication provider. However, if your organization only uses Local authentication, it applies to all users.

Before you begin

• Review any Incydr API integrations using credentials of users in organizations in which you plan to enable local two-factor authentication. After enabling local two-factor authentication for an organization, basic authentication (username and password) is not supported. Users in that organization must use token authentication and supply the Time-based One-Time Password (TOTP) to authenticate with the Incydr API.
• Review the organizational hierarchy of your Incydr environment. By default, child organizations inherit the local two-factor authentication setting from their parent organization. To prevent this setting from affecting unintended users, you can either move the users you want to use local two-factor authentication to an organization with no child organizations, or manually disable the setting in each child organization.

Considerations

• Local two-factor authentication uses the Time-based One-Time Password (TOTP) algorithm and a 160-bit secret key for each user. The Google Authenticator mobile app is the tool we officially support and recommend, but other tools or apps that support the TOTP algorithm may also be compatible.
• To configure this setting for an organization, you must sign in to the Incydr console as a user with the Multi-Factor Auth Admin role.

Affected users and components

• Users in organizations that only use local authentication
• Dedicated local users in organizations with an external authentication provider
• Incydr console access
• Incydr API authentication

Unaffected users and components

• Users in organizations that authenticate with an external authentication provider who are not specifically defined as a local user
• The insider risk and backup agents installed on user devices
• Any existing multi-factor authentication mechanisms managed by your external authentication provider

Enable or disable two-factor authentication

1. Sign in to the Incydr console.
2. Select Administration > Environment > Organizations.
3. Select an organization.
4. On the Authentication tab, click Edit  in the Local two-factor authentication section.
5. If necessary, disable Inherit settings from parent.
   When enabled, the organization uses the local two-factor authentication setting of its parent organization and cannot be changed here. To change the setting, either disable inheritance, or change the setting in the parent organization.
6. Select Enabled or Disabled.
   • Enabled: Requires affected users to configure two-factor authentication (Google Authenticator is our recommended application). Users must then provide a one-time authentication code in addition to their username and password to access the Incydr console and Incydr API.
   • Disabled: Locally authenticated users are only required to provide their username and password to access the Incydr console and Incydr API.
7. Click Save.

User sign in

After enabling Local Two-Factor Authentication for an organization, affected users are required to follow the steps below to set up their account the next time they sign in. (Future sign-ins only prompt users to obtain the verification code from their authenticator.)

1. Upon signing in to the Incydr console, the Set Up Two-Factor Authentication message appears.
2.  Using your authenticator, scan the QR code provided (see sample below).
3. (Optional) If you plan to script automated API requests with this account and/or integrate with other TOTP applications, copy the code from this message and save it.
4. In the Enter 6-digit verification code field, enter the verification code displayed in your authenticator.
5. Click Sign In. 

Reset a single user's device

If a user loses or gets a new mobile device, follow the steps below to reset the two-factor authentication configuration.

1. Sign in to the Incydr console.
2. Select Administration > Environment > Users.
3. Select a user.
4. Select Actions > Reset Two-Factor Authentication.
   This invalidates the secret used to generate this user's TOTP and prompts the user redo the initial configuration steps upon the next sign-in attempt.

External resources

• Wikipedia: Time-based One Time Password (TOTP) algorithm

Related topics